EMT Practice Test

1. Question Content...


Question List

Question1: Which protection feature is available only in a Zone Protection Profile?

Question2: Which option is part of the content inspection process?

Question3: Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

Question4: Which two options are required on an M-100 appliance to configure it as a Log Collector?
(Choose two)

Question5: Which Captive Portal mode must be configured to support MFA authentication?

Question6: A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

Question7: A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

Question8: How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

Question9: Which PAN-OS policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

Question10: An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

Question11: How are IPV6 DNS queries configured to user interface ethernet1/3?

Question12: Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Question13: A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

Question14: Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

Question15: What can missing SSL packets when performing a packet capture on dataplane interfaces?

Question16: A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

Question17: After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?

Question18: An administrator has left a firewall to use the default port for all management services.
Which three functions are performed by the dataplane? (Choose three.)

Question19: Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

Question20: A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com.
At other times the session times out.
The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

Question21: A network Administrator needs to view the default action for a specific spyware signature.
The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile.
What should be done next?

Question22: An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

Question23: Which CLI command can be used to export the tcpdump capture?

Question24: Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Question25: People are having intermittent quality issues during a live meeting via web application.

Question26: The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

Question27: To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

Question28: Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS version, and serial number?

Question29: Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

Question30: Server Message Block (SMB), a common file-sharing application, is slow when passing through a Palo Alto Networks firewall. The Network Security Administrator created an application override policy, assigning all SMB traffic to a custom application, to resolve the slowness issue.
Why does this configuration resolve the issue?

Question31: The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

Question32: A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS software would help in this case?

Question33: An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?

Question34: The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

Question35: A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

Question36: A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Question37: Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

Question38: A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

Question39: What are two benefits of nested device groups in Panorama? (Choose two.)

Question40: An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

Question41: An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown.
The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Question42: Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

Question43: When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

Question44: Which Palo Alto Networks VM-Series firewall is valid?

Question45: An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

Question46: Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

Question47: An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

Question48: Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)

Question49: An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

Question50: Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

Question51: Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

Question52: An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS software can be upgraded?

Question53: Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

Question54: If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

Question55: Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

Question56: Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

Question57: A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

Question58: An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Question59: Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

Question60: Which CLI command displays the current management plan memory utilization?

Question61: A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

Question62: How does Panorama handle incoming logs when it reaches the maximum storage capacity?

Question63: Which three rule types are available when defining policies in Panorama? (Choose three.)

Question64: Which three settings are defined within the Templates object of Panorama? (Choose three.)

Question65: Which three options are supported in HA Lite? (Choose three.)

Question66: Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

Question67: An administrator needs to implement an NGFW between their DMZ and Core network.
EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

Question68: What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

Question69: An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

Question70: Which three options does the WF-500 appliance support for local analysis? (Choose three)

Question71: Which event will happen if an administrator uses an Application Override Policy?

Question72: A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two)

Question73: If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

Question74: Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

Question75: YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

Question76: Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

Question77: How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Question78: Which User-ID method maps IP addresses to usernames for users connecting through an
802.1x-enabled wireless network device that has no native integration with PAN-OS software?

Question79: Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

Question80: Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)

Question81: A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

Question82: Which option is an IPv6 routing protocol?

Question83: A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

Question84: Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

Question85: Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

Question86: Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Question87: Which CLI command displays the current management plane memory utilization?

Question88: A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. The company's engineers made configuration changes to the switches on both network segments, and connected them to the new firewall.
Soon after the cutover, however, users began to complain about latency and some servicers stopped communicating. There are no security policies that deny traffic between the two networks segments. You suspect that there is an interface misconfiguration on Ethernet 1/1.
Which two commands should be used to troubleshoot the issue? (Choose two)

Question89: How can a candidate or running configuration be copied to a host external from Panorama?

Question90: How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Question91: A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

Question92: A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
* Users outside the company are in the "Untrust-L3" zone
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

Question93: Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

Question94: Which three types of software will receive a Grayware verdict from WildFire? (Choose Three)

Question95: Which method will dynamically register tags on the Palo Alto Networks NGFW?

Question96: Click the Exhibit button

An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step?

Question97: The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

Question98: When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

Question99: A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean?

Question100: A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
*DMZ zone: DMZ-L3
*Public zone: Untrust-L3
*Guest zone: Guest-L3
*Web server zone: Trust-L3
*Public IP address (Untrust-L3): 1.1.1.1
*Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Question101: Which two methods can be used to mitigate resource exhaustion of an application server?
(Choose two)

Question102: Which feature prevents the submission of corporate login information into website forms?

Question103: Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

Question104: A Security policy rule is configured with a Vulnerability Protection Profile and an action of
'Deny".
Which action will this cause configuration on the matched traffic?

Question105: A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first?

Question106: When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

Question107: A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software.
Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

Question108: A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

Question109: Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)

Question110: A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

Question111: Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

Question112: Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS
8.0? (Choose two.)

Question113: A company hosts a publicly accessible web server behind a Palo Alto Networks next- generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

Question114: An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

Question115: If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

Question116: Click the Exhibit button below,


A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address.
He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

Question117: An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:

What could be the cause of this problem?

Question118: What are three valid method of user mapping? (Choose three)

Question119: An administrator needs to optimize traffic to prefer business-critical applications over non- critical applications.
QoS natively integrates with which feature to provide service quality?

Question120: Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

Question121: During the packet flow process, which two processes are performed in application identification? (Choose two.)

Question122: Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?

Question123: Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

Question124: A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

Question125: Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

Question126: Which field is optional when creating a new Security Policy rule?

Question127: A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet
1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.
What can be the cause of this problem?

Question128: Support for which authentication method was added in PAN-OS 8.0?

Question129: Which command can be used to validate a Captive Portal policy?

Question130: What must be used in Security Policy Rule that contain addresses where NAT policy applies?

Question131:
What will be the source address in the ICMP packet?

Question132: Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

Question133: Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

Question134: A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

Question135: A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?

Question136: PAN-OS 8.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

Question137: A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred?

Question138: A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

Question139: After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly.
The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?

Question140: Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

Question141: In a virtual router, which object contains all potential routes?

Question142: Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?